Install ModSecurity on Apache for Ubuntu: A Comprehensive Guide
ModSecurity on Apache for Ubuntu acts as a web application firewall (WAF) to make your server more secure.
This security tool checks the web traffic coming to your server. It stops bad requests, such as SQL injection or cross-site scripting, before they can damage your web applications.
This guide shows you how to set up ModSecurity version 3.0.10 with Apache 2.4 on Ubuntu 22.04 LTS.
You will learn how to set up ModSecurity so it can guard your Apache web applications against common online attacks.
Install ModSecurity and the Apache module using `sudo apt update` and `sudo apt install apache2 libapache2-mod-security2`. Enable the module with `sudo a2enmod security2` and reload Apache.
How to install ModSec with Apache on Ubuntu Linux
ModSecurity (ModSec) is an open-source web application firewall (WAF). Apache was its initial development platform, and ModSec now fully supports Nginx and IIS as a web application security (WAS) tool.
Here’s how to install it with the Apache HTTP server.
Install ModSecurity and Apache
To install ModSecurity and Apache on Ubuntu, you will use a couple of commands in your terminal. This process adds an important security layer to your web server, helping to protect it from common online threats and attacks.
sudo apt update sudo apt install apache2 libapache2-mod-security2
To check that ModSec is installed, run the commands below.
apachectl -M | grep security
The command above should produce an output similar to this:
ModSecurity’s Apache module is disabled by default. You can turn the ModSecurity module on by running the commands presented below. Enabling this module is crucial for activating ModSecurity’s web application firewall features, which protect your website.
ModSecurity configuration on your Apache server in Ubuntu actively blocks threats by adjusting its main settings. Begin by copying the recommended configuration file, modsecurity.conf-recommended, and then edit this file to best protect your server.
You’ll find the default configuration file at /etc/modsecurity/modsecurity.conf-recommended. To start customizing, copy this file and rename it modsecurity.conf.
sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
Next, run the commands below to open the newly created config file.
sudo nano /etc/modsecurity/modsecurity.conf
# -- Rule engine initialization ---------------------------------------------- # Enable ModSecurity, attaching it to every transaction. Use detection # only to start with, because that minimises the chances of post-installation # disruption. # SecRuleEngine On # -- Request body handling --------------------------------------------------- # Allow ModSecurity to access request bodies. If you don't, ModSecurity # won't be able to see any POST parameters, which opens a large security # hole for attackers to exploit. SecRequestBodyAccess On # Enable XML request body parser. # Initiate XML Processor in case of xml content-type
Save and exit, then restart Apache.
sudo systemctl restart apache2
Add OWASP ModSecurity rules
Adding the OWASP Core Rule Set (CRS) to ModSecurity in Ubuntu gives your web apps strong, recommended security rules to defend against attacks. You do this by cloning the latest rules from GitHub to your server.
Clone the latest OWASP CRS from GitHub to the /usr/share/ directory by running the commands below.
sudo rm -rf /usr/share/modsecurity-crs sudo git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git /usr/share/modsecurity-crs
sudo mv /usr/share/modsecurity-crs/crs-setup.conf.example /usr/share/modsecurity-crs/crs-setup.conf
Next, run the commands below to open the ModSec security configuration file.
sudo nano /etc/apache2/mods-enabled/security2.conf
Then, edit the highlighted lines to enable the OWASP rules we downloaded above.
<IfModule security2_module>
# Default Debian dir for modsecurity's persistent data
SecDataDir /var/cache/modsecurity
# Include all the *.conf files in /etc/modsecurity.
# Keeping your local configuration in that directory
# will allow for an easy upgrade of THIS file and
# make your life easier
IncludeOptional /etc/modsecurity/*.conf
# Include OWASP ModSecurity CRS rules if installed
IncludeOptional /usr/share/modsecurity-crs/*.conf
IncludeOptional /usr/share/modsecurity-crs/rules/*.conf
</IfModule>Save and exit.
Restart Apache and you’re good to go.
sudo systemctl restart apache2
To test that ModSec is running, run the commands below.
curl 'http://127.0.0.1/test.html?a=<script>alert(1);</script>'
You should get an output message similar to the one below:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access this resource.</p> <hr> <address>Apache/2.4.52 (Ubuntu) Server at 127.0.0.1 Port 80</address> </body></html>
That should do it!
Conclusion:
- ModSecurity is a powerful open-source web application firewall (WAF) that offers an extra layer of security to detect and prevent attacks before they reach the web application.
- Following the installation steps outlined above, you can successfully set up ModSecurity with Apache on Ubuntu Linux.
- OWASP ModSecurity rules, when applied, provide recommended security settings to protect your applications further.
- After completing the installation and configuration, you can verify the functionality of ModSecurity by testing it with a sample HTTP request.
- Your feedback is welcomed, and please feel free to use the comment form below to report any errors or add additional insights.
What is mod_security in Apache?
ModSecurity is the standard open-source web application firewall (WAF) engine. Originally designed as a module for the Apache HTTP Server, it has evolved to provide HTTP request and response filtering capabilities across a number of different platforms including Apache HTTP Server, Microsoft IIS and Nginx.
Is ModSecurity a good WAF?
Why use ModSecurity? Web Application Firewalls are often the first line of defense against HTTP attacks on web applications and servers. The ModSecurity WAF is widely used for this purpose along with the Coraza WAF, also provided by OWASP.
Was this guide helpful?
About the Author
Richard
Tech Writer, IT Professional
Richard, a writer for Geek Rewind, is a tech enthusiast who loves breaking down complex IT topics into simple, easy-to-understand ideas. With years of hands-on experience in system administration and enterprise IT operations, he’s developed a knack for offering practical tips and solutions. Richard aims to make technology more accessible and actionable. He's deeply committed to the Geek Rewind community, always ready to answer questions and engage in discussions.
No comments yet — be the first to share your thoughts!